This topic describes how to create anti-DDoS protection policies. Both Anti-DDoS Pro and Anti-DDoS Premium allow you to create the following anti-DDoS protection policies to protect non-website services against Layer 4 DDoS attacks: False Source, Empty Connection, Speed Limit for Source, and Speed Limit for Destination. You can create an anti-DDoS protection policy for a specific port forwarding rule. This is applicable after you create port forwarding rules for an Anti-DDoS Pro or Anti-DDoS Premium instance and associate a non-website service with the instance. You can also create anti-DDoS protection policies for multiple port forwarding rules at a time.

Prerequisites

A port forwarding rule for a non-website service is configured on the Port Config page. For more information, see Create forwarding rules.

Background information

Notice In the top navigation bar of the Anti-DDoS Pro or Anti-DDoS Premium console, you can switch the region (Mainland China and Outside Mainland China), and the system switches between Anti-DDoS Pro and Anti-DDoS Premium accordingly for you to manage and configure Anti-DDoS Pro or Premium instances. Ensure that you switch to the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.

For non-website services, anti-DDoS protection policies are configured based on IP addresses and ports. To mitigate connection-oriented DDoS attacks, you can set the request rate, packet length, and other parameters as required. Anti-DDoS protection settings only apply to ports.

Both Anti-DDoS Pro and Anti-DDoS Premium allow you to create the following types of anti-DDoS protection policies for non-website services:
  • False Source: verifies and filters DDoS attacks initiated from forged IP addresses.
  • Speed Limit for Destination: The data transfer rate of the port that exceeds the maximum visit frequency is limited based on the IP address and port of your Anti-DDoS Pro or Anti-DDoS Premium instance. The data transfer rates of other ports are not limited.
  • Packet Length Limit: specifies the minimum and maximum lengths of packets that are allowed to pass through. Packets with invalid lengths are dropped.
  • Speed Limit for Source: The data transfer rate of a source IP address that exceeds the maximum visit frequency is limited based on the IP address and port of your Anti-DDoS Pro or Anti-DDoS Premium instance. The data transfer rates of other source IP addresses are not limited. This policy also supports the IP address blacklist policy. An IP address from which access requests exceed the maximum visit frequency five times within 60 seconds can be added to a blacklist. You can also specify the blocking period.

Create an anti-DDoS protection policy

The following procedure shows how to create an anti-DDoS protection policy for a specific port forwarding rule. You can also create anti-DDoS protection policies for multiple port forwarding rules at a time. For more information, see Create anti-DDoS protection policies for multiple port forwarding rules at a time.

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select the region of your Anti-DDoS instance.
    • Mainland China: Anti-DDoS Pro
    • Outside Mainland China: Anti-DDoS Premium
  3. In the left-side navigation pane, choose Mitigation Settings > General Policies.
  4. On the General Policies page, click the Protection for Non-website Services tab. On the tab that appears, select the target instance from the Select Instance drop-down list.
  5. Select the forwarding rule for which you want to create a policy from the list on the left side.Create an anti-DDoS protection policy
  6. Configure settings in the False Source, Speed Limit for Destination, Packet Length Limit, and Speed Limit for Source sections.
    • False Source: In the False Source section, turn on or off False Source or Empty Connection.
      Parameter Description
      False Source Turn on this switch to block requests from forged IP addresses. After you turn on the switch, Anti-DDoS Pro or Anti-DDoS Premium automatically filters requests initiated from forged IP addresses.
      Note This policy only applies to TCP rules.
      Empty Connection Turn on this switch to block requests that attempt to establish null sessions. After you turn on the switch, Anti-DDoS Pro or Anti-DDoS Premium automatically filters requests that attempt to establish null sessions.
      Note This policy only applies to TCP rules. To enable this policy, you must first enable the False Source policy.
    • Speed Limit for Destination: In the Speed Limit for Destination section, click Change Settings. In the Change Settings dialog box, specify the required parameters and then click OK. Speed Limit for Destination
      Parameter Description
      Destination New Connection Rate Limit This parameter specifies the maximum number of new connections per second that can be established on an Anti-DDoS Pro or Anti-DDoS Premium port. The value ranges from 100 to 100000. Requests sent to the port after the upper limit is reached are dropped.
      Note The limit on new connections may be slightly different from actual scenarios because scrubbing nodes are deployed in clusters.
      Destination Concurrent Connection Rate Limit This parameter specifies the maximum number of concurrent connections that can be established on an Anti-DDoS Pro or Anti-DDoS Premium port. The value ranges from 1000 to 1000000. Requests sent to the port after the upper limit is reached are dropped.
    • Packet Length Limit: In the Packet Length Limit section, click Change Settings. In the Change Settings dialog box, set the minimum and maximum lengths of the payload contained in a packet and then click OK. The value ranges from 0 to 6000. Unit: bytes.Packet Length Limit
    • Speed Limit for Source: In the Speed Limit for Source section, click Change Settings. In the Configure Speed Limit for Source pane, specify the required parameters and then click OK. Speed Limit for Source
      Parameter Description
      Source New Connection Rate Limit This parameter specifies the maximum number of new connections per second that can be initiated from a single IP address. The value ranges from 1 to 50000. Requests initiated from the IP address after the upper limit is reached are dropped. This policy supports Automatic and Manual modes.
      • If you select Automatic, Anti-DDoS Pro or Anti-DDoS Premium dynamically calculates the maximum number of new connections per second that can be initiated from a single source IP address.
      • If you select Manual, you need to manually specify the maximum number of new connections per second that can be initiated from a single source IP address.
      Note The limit on new connections may be slightly different from actual scenarios because scrubbing nodes are deployed in clusters.
      Blacklist policy
      • If you select the When the number of new connections from a source client exceeds the threshold five times within one minute, the IP address of the source client is added to the blacklist. check box, all requests from IP addresses in the blacklist are dropped.
      • To enable the blacklist policy, you must set Validity Period for Blacklist. The value ranges from 1 to 10080. The default value is 30. Unit: minutes. An IP address added to a blacklist is removed from the blacklist when the validity period ends.
      Source Concurrent Connection Rate Limit This parameter specifies the maximum number of concurrent connections that can be initiated from a single IP address. The value ranges from 1 to 50000. Requests initiated from the IP address after the upper limit is reached are dropped.
      Blacklist policy
      • If you select the When the number of concurrent connections from a source client exceeds the threshold five times within one minute, the IP address of the source client is added to the blacklist. check box, all requests from IP addresses in the blacklist are dropped.
      • To enable the blacklist policy, you must set Validity Period for Blacklist. The value ranges from 1 to 10080. The default value is 30. Unit: minutes. An IP address added to a blacklist is removed from the blacklist when the validity period ends.
      PPS Limit for Source This parameter specifies the maximum number of packets per second that can be allowed from a single IP address. The value ranges from 1 to 100000. Unit: packet/s. Packets initiated from the IP address after the upper limit is reached are dropped.
      Blacklist policy
      • If you select the When the source packets per second (PPS) of a source client exceeds the threshold five times within one minute, the IP address of the source client is added to the blacklist. check box, all requests from IP addresses in the blacklist are dropped.
      • To enable the blacklist policy, you must set Validity Period for Blacklist. The value ranges from 1 to 10080. The default value is 30. Unit: minutes. An IP address added to a blacklist is removed from the blacklist when the validity period ends.
      Bandwidth Limit for Source This parameter specifies the maximum bandwidth of a single IP address. The value ranges from 1024 to 268435456. Unit: bytes/s.
      Blacklist policy
      • If you select the When the source bandwidth of a source client exceeds the threshold five times within one minute, the IP address of the source client is added to the blacklist. check box, all requests from IP addresses in the blacklist are dropped.
      • To enable the blacklist policy, you must set Validity Period for Blacklist. The value ranges from 1 to 10080. The default value is 30. Unit: minutes. An IP address added to a blacklist is removed from the blacklist when the validity period ends.

Create anti-DDoS protection policies for multiple port forwarding rules at a time

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select the region of your Anti-DDoS instance.
    • Mainland China: Anti-DDoS Pro
    • Outside Mainland China: Anti-DDoS Premium
  3. In the left-side navigation pane, choose Provisioning > Port Config.
  4. On the Port Config page, select the target instance, click Batch Operations below the rule list, and select DDoS Protection Policy Settings.Create anti-DDoS protection policies for multiple port forwarding rules at a time
  5. In the Create Anti-DDoS Protection Policy dialog box, follow the required formats to enter the content of anti-DDoS protection policies and then click Create.Create anti-DDoS protection policies for multiple port forwarding rules at a time
    The following section describes the formats of anti-DDoS protection policies.
    Note You can also export anti-DDoS protection policies to a TXT file, modify the content in the TXT file, and then copy and paste the modified content to the target fields. The formats of anti-DDoS protection policies in the exported file must be the same as those of the policies that you want to create. For more information, see Export multiple port configurations.
    • Enter one policy in each row.
    • Each anti-DDoS protection policy must contain the following fields from left to right: forwarding port, forwarding protocol, source new connection rate limit, source concurrent connection rate limit, destination new connection rate limit, destination concurrent connection rate limit, minimum packet length, maximum packet length, false source status, and empty connection status. The forwarding protocol can be TCP or UDP. For more information about the fields and valid values, see Parameters and descriptions of anti-DDoS protection policies. Fields are separated with spaces.
    • The forwarding port must be a port specified in a forwarding rule.
    • The valid values of both False Source and Empty Connection are on and off. If any of these parameters is not set, the switch is turned off.